The pandemic has forced many nonprofits to change to work-at-home mode for extended periods, and some may remain there even as COVID-19 recedes. This shift in operations offers potential advantages, but it’s critical that organizations institute new, or adapt existing, internal controls to protect their finances and accounting-related data. Here are some of the most important areas to survey.
Conduct a risk assessment
Ideally, you should perform a new risk assessment every time your organization undergoes significant changes in operations. The tumult created by the pandemic and recession certainly qualify.
A comprehensive assessment likely will reveal new risks, as well as different twists on more standard risks related to, for example, fraud or human error. This assessment is a fundamental first step toward mitigating your nonprofit’s vulnerabilities.
One employee should never be responsible for collecting, recording, reconciling and depositing cash receipts — those duties should be split up, or segregated, among multiple employees. Different employees should be assigned to approve, record and report transactions. And, if applicable, the employee who handles incoming payments shouldn’t also handle outgoing invoices.
Smaller organizations find segregating duties difficult in “normal” times. But when accounting and finance employees are working remotely and independently, the challenge is compounded. For example, you’ll need to adjust procedures for approving and making payments and for processing receivables.
Make payments safely
If your organizational policy (as opposed to bank policy) requires two signatures on outgoing checks, you might be able to document the second signer’s approval virtually. Your accounting software may include features for building a digital trail of the necessary reviews and approvals. If it doesn’t have such capabilities, other technological tools (for example, Slack, Google Documents or Microsoft Teams) can help.
Alternatively, you could reach out to your vendors and arrange paying via a different method. You may be able to pay online, with automated clearinghouse (ACH) payments or by credit card over the phone. For the longer term, consider adopting an automated software solution, such as those offered by MineralTree or Bill.com.
For incoming cash flow, you can establish similar electronic alternatives for members, customers, donors and grantmakers, thereby eliminating the risks associated with the receipt of payments by mail. One option to avoid at all costs? Having payments forwarded to employees’ homes for processing. The opportunity for fraud is too great. In these trying economic times, even the most trusted employee might be tempted to go astray.
Don’t forget reconciliation
You’re no doubt attempting to keep a lot of plates spinning right now, but don’t let vital internal controls lapse. In the current environment, regular reconciliations are perhaps more important than ever. In fact, they’re one of the most effective methods for detecting discrepancies.
What should you reconcile? First and foremost, an employee who doesn’t have check-signing authority should perform a monthly reconciliation of bank statements. A trusted staffer also should reconcile accounts payable and accounts receivable. This includes reconciling the donor database against contributions revenue and donations against deposits. Additional reconciliations may be advisable depending on your circumstances, and don’t forget the important step of management review to ensure that all discrepancies are resolved.
Protect your culture
Take care to maintain a culture that prioritizes ethical behavior as well as anti-fraud policies and practices. But, as many organizations have learned over the last year, culture can suffer when employees are scattered.
Proactive measures are essential. As always, the tone at the top matters. Organizational leaders should regularly communicate with staff to reinforce the need for adherence to internal controls. Don’t rely solely on emails or texts for this messaging — incorporate phone or video conferencing to emphasize the point.
Adapt cybersecurity to homes
An ongoing reliance on remote workers calls for greater cybercrime vigilance. Hackers and other malicious actors have had a field day penetrating employees’ poorly secured home networks to access their employers’ confidential information.
Talk to your IT staff to ensure that the necessary firewalls, multi-factor authentication and other protective measures have been adapted for work at home. You may need new policies to alert employees to which practices are secure and permissible and which are prohibited. For example, you might forbid employees to use unsecured networks.
Employees also may need training to prevent cyberattacks and data theft. For example, the prevalence of phishing has risen during the pandemic, targeting victims on both work and personal devices. An employee who clicks on a predatory link in an email sent to a personal account can unleash malware that collects both personal and professional information.
We can help provide specific, tailored recommendations for tweaking or implementing internal controls to reflect your changed circumstances while maintaining necessary safeguards. We can also help you use the lessons learned during the pandemic — what worked and what didn’t — to safely continue remote working arrangements and prepare for any future crises.